UIS.203.2 Configuration Change Control Guidelines

In support of UIS.203 Configuration Management Policy

Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

Configuration change control includes, but is not limited to: 

  • changes to baseline configurations for components and configuration items of information systems 
  • changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices) 
  • unscheduled/unauthorized changes 
  • changes to remediate vulnerabilities 

Configuration Change Control Requirements

The UIS system change control process incorporates the following: 

  1. Enforcement of formal change control procedures. Requesting approvals and managing changes to the systems are described in UIS Change Approval and Management Procedures. This effort should include the following processes, controls, and best practices: 
    • Proper authorization and approvals at all levels

      • Documenting configuration change decisions associated with the information system 

      • Restricting changes to the information system until approvals are received 

      • Limiting access to only those parts of the system necessary for the approved change     

    • Definitions of job responsibilities/restrictions and establishing authority levels for the following: 

      • Change Approver 

      • Change Owner

      • Change Manager, and other IT staff    

  2. Successful testing of updates and new programs prior to their being moved into a production environment.

    • Test, validate, and document changes to the information system before implementing the changes on the system

    • Determine the types of changes to the information system that are configuration controlled

    • Safeguard production systems during modification, including emergency changes   

  3. Implementation of approved configuration-controlled changes to the information system 
  4. Retention of configuration change logs for the information system over the life of the system
    • Version control for each application

    • Tying program documentation updates to source code updates 

    • Standard software load for workstations, servers, network components, and mobile devices and laptops  

  5. Audit and review activities associated with configuration-controlled changes to the information system

    • Audit logs that track all accesses to the system, copying and use of source code, and updates posted to libraries

    • Rollback procedures designed to recover to previous stable version of programs

  6. Coordination and oversight for configuration change control activities through a Configuration Change Control Board that convenes when configuration changes occur  

  7. Management of security vulnerabilities so that they are prioritized, evaluated, tested, documented, approved, and applied promptly to minimize the exposure of unpatched resources. Vulnerability Management requirements are addressed in the Vulnerability Management Guideline.  

  8. Role-based training for business and technical users covering new features and security controls introduced by the upgrade.